





TOR BROWSER FORENSICS ON WINDOWS OS 


ER ANICECCA DITACCRA MARCA CCARITA (CI ALIDNIA MED 
MAT TIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA МЕРА 
AJFRWS 2015 
DUBLIN. 24 MARCH 2015 
DUBLI N, 44 MARCH 2015 





REAL CASE 





= Management salaries of a private company were published оп a Blog 


= Through an analysis of the internal network, we found a possible suspect 
because he accessed the Excel file containing the salaries the day before 
the publication 


= Company asked us to analyze the employee laptop 


= We found evidences that confirm that the Excel file was opened [LNK, 
Jumplist, ShellBags] 


= But no traces were found in browsing history about the publishing 
activity on the blog... 








PREVIOUS RESEARCH 


2 An interesting research by Runa Sandvik is available at 


Forensic Analysis of the Tor Browser Bundle on OS X, Linux, 
and Windows 
https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf 


2 We started from her work to find other interesting artifacts 


TOR BROWSER — MICROSOFT WINDOWS 


Software Ж Seréces: • Arm + Orbot + Tulis + TorBirdy • Овіювоо + Metrics Portal • Tor Cloud + Oùfaproxy = Shadow = p 





What is the Tor Browser? 


The Tor software protects you by bouncing your communications around 
а distributed network of relays run by volunteers ай around the world: it 
prevents somebody watching your Internet connection from learning what 
Sites you visit, it prevents the sites you visit from learning your physical 
location, and it lets you access sites which are blocked 


Version 
4.0.2 


The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux 
without needing to install any software. It can run off a USB flash drive, 
comes with a pre-configured web browser to protect your anonymity, and 
5 Self-contained 





Installation instructions 
Windows • OS X • Linux Do you like 


7 Peace consider malana а donat » 


ie а: Setup = x 
б Тог =з е Setup ж Е oe 


Choose Install Location 
Choose the folder in which to install Tor Browser Bundle. % 





Setup will install Tor Browser Bundle in the following folder. To install in а different folder, dick 
Browse and select another folder. Click Install to start the installation. 


Installer Language 
Destination Folder 
| iC: Users Mattia.Mattia-PC \Desktop\Tor Browser 


Space required: 78.6MB 
Space available: 910.2GB 





HD Docs 
; 8-б Tor 


Nullsoft Install System v2.46-7 

















ТОК BROWSER FOLDER 





= The most interesting folders are located іп \Тог Browser\Browser\Tor Browser: 








` re, md he а in l- «P \ "m ! ғ. \ ip] я чыъ а та” Kr „\ 9m Asa ii 2 ға о | rer 14 









| cached-certs 20 Regular File 15/02/2014 18:... д bookmarkbackups 1 Directory 12/12/2014 14:... 
| | cached-certs.FileSlack 13 File Slack " extensions 1 Directory 30/01/2015 15... 
| cached-certs.tmp 20 Regular File 15/02/2014 18:... ФЬ HTTPSEverywhereUser... 1 Directory 12/12/2014 14:... 
| | cached-microdesc-co... 1.084 Regular File 15/02/2014 18... т preferences 1 Directory 12/12/2014 14:... 
Ж cached-microdesc-ca.., 1084 Regular File 15/02/2014 18... m webapps 1 Directory 30/01/2015 14:... 
| | cached-microdescs.new 2,128 Regular File 15/02/2014 18:... | |SBO 8 NTFS Index All... 30/01/2015 15... 
| | cached-microdescs.ne... 17 File Slack = ч : 
| |control auth cookie 1 Regular File 15/02/2014 18;... = 2... Ее т “лиши 
коно ашп. dee. елы bookmarks.htmi 4 Regular File 01/01/2000 
seni ries КЕН 1 RegularFile 30002054. 
B 0 Regular File P cookies salite 512 Regular File 12/12/2014 15:... 
1 RegularFile 15/02/2014 48... БЕ. exensionsini — | 1 RegularFile 30/01/2015 М... 
1 state.FileSlack 32 File Slack | | extensions.ini.FileSlack 4 File Slack 
1 Regular File 15/02/2014 18:... |_| extensions.json 10 Regular File 30/01/2015 14:... 
|. jtorrc-defaults 1 Regular File 01/01/2000 01.... |_| extensions.json.FileSlack 3 File Slack 
|. |torrc-defaults.FileSlack 32 File Slack |. | extensions.sqlite 0 Regular File 12/12/2014 14:... 
|. jtorrc.FileSlack 32 File Slack 
| jtorrc.orig.i 0 Regular File 01/01/2000 01... 


FOLDER DATA\TOR 





= State: it contains the last execution date 


% Tor state file last generated on |2014-02-15 18:59:26 local time 


# Other times below are in UTC 
# You *do not* need to edit this file. 


TorVersion Tor 0.2.4.20 (git-d90102bcf0c25d96) 


LastWritten 2014-02-15 17:59:26 


= Torrc: it contains the path from where the Tor Browser was launched with the 
drive letter 


# This file was generated by Tor; if you edit it, comments will not be preserved 
The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it 


DataDirectory E:\Tor Browser\Data\Tor 


DirRegStatistics 0 
GeoIPFile E:\Tor Browser\Data\Tor\geoip 





FOLDER \DATA\BROWSER\PROFILE.DEFAULT 





Q Compatibility.ini 


Q Extension. ini 








[ExtensionDirs] 





Extension0=E: 
:\Tor 
Тог 
"\Tor 


Extensionl- 
Extensionz- 
Extensioni- 


a 
т 
a 
т 
г. 
т” 
г. 


“Тог 


[Compatibility] 


LastVersion=24.3.0 20000101000000/20000101000000 


The most interesting files: 


Browser'Data\Browser\profile. 
Browser\Data\Browser\profile. 
Browser\Data\Browser\profile. 
Browser\Data\Browser\profile. 


LastOSABI=WINNT x86-gcc3 
LastPlatformDir=E:\Tor Browser\Browser 
LastAppDir=E:\Tor Browser\Browser\browseriInvalidateCaches=1 


The traditional Firefox folder containing the user profile without usage traces 





default extensions \tor-launcher@torproject.o 
default \extensions\torbutton@torproject.org. 
default extensions {73a6fe31-595d-460b-a920- 
default \extensions\https-everywhere@eff.org 


* Browser execution path 


e Date Created > First execution 
* Date Modified > Last execution 








OS ARTIFACTS ANALYSIS 





= Evidence of TOR usage can be found (mainly) in: 
L] Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>. pf 
Q Prefetch file TOR.EXE-«PATH-HASH».pf 
Q Prefetch file FIREFOX.EXE-«PATH-HASH».pf 
L] Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version « 4.0.2) 
(1 NTUSER.DAT registry hive > User Assist key 
Q Windows Search Database 


(1 Thumbnail cache 


PREFET CH FILES 





= We сап recover: 
= First execution date 
= Last execution date 
= In Windows 8/8.1 -> Last 8 executions 
= Number of executions 
= Execution Path 
= Install date (from Tor Browser Install prefetch file) 
= Tor Browser version (from Tor Browser Install prefetch file) 


File Name Created Date... Modified Dat... Date LastRun ^ Num Times Run Physical Path 
(TORBROWSERINSTALL366 EN-U-SCBCBFDEpf  govedi2otto.. доуей208.. giovedi 2 ottobre 2014 (gio) 20:44:01 1 NDEVICE\HARDDISKVOLUME2\USERS \MATTIA.MATTIA-PC\DOWNLOADS\TORBROWSER-INSTALL-3.6.6_EN-US.EXE _ 
START TOR BROWSER.EXE-E2BF03B1 pf giovedì 2 ойо... giovedì 2 ott... giovedì 2 ottobre 2014 (gio) 21:36:34 5 \DEVICE\HARDDISKVOLUME2\USERS\MATTIA.MATTIA-PC\DESKTOP\TOR BROWSER\START TOR BROWSER.EXE 


TOR.EXE-60C44E64 pf giovedì 2 ойо... giovedi2ott... giovedì 2 ottobre 2014 (gio) 21:36:35 5 \DEVICE\HARDDISKVOLUME2\USERS\MATTIA.MATTIA-PC\DESKTOP\TOR BROWSER\TOR\TOR.EXE 


USER ASSIST 





= We can recover: 
= Last execution date 
= Number of executions 
= Execution path 


= By analyzing various NTUSER.DAT 
from VSS we can identify the 
number and time of execution in 
a period of interest 


userassist2 v.20120528 
(NTUSER.DAT) Displays contents of UserAssist subkeys 


UserAssist 
Software Microsoft Windows \CurrentVersion\Explorer\UserAssist 
LastWrite Time Wed Jul 24 16:27:27 2013 (UTC) 


TCEBFFSCD-ACE2-4FAF -9178.-9926F41 49EA] 
Mon Feb 17 08:30:05 2014 7 

Microsoft. InternetExplorer.Default (2) 
Sat Feb 15 17:59:09 2014 7 

E: Mor Browser\Start Tor Browser.exe (1) 


OTHER ARTIFACTS ON THE HARD DRIVE 


=Other files noted: 


=Thumbnail Cache 





=lt contains the TOR Browser icon 
= Windows Search Database 


= Tor Browser files and folders path 


BROWSING ACTIVITIES 


2 Fvidence of browsing activities can be found іп: 





“1 Bookmarks (places.sqlite database) 
Q Pagefile.sys 
(1 Memory Dump / Hiberfil.sys 


ВООКМАКК5 





User saved bookmarks: 


Recent Tags <null> <null> 1414090034209000 1414009034290000 QyakxoyzEcFe 


REALITY МЕТ - System Solutions - Digital Forensics «пи!» snull> 1414839318 764000 | 141423931912 4000. b DINaxIDimemU 





Convert epoch to human readable date and vice versa 


| 414839318764000 | | Timestamp to Human date |е. [batch convert timestamps to human dates] 


Assuming that this timestamp is in microseconds (1/1,000,000 second): 
GMT: Sat, 01 Nov 2014 10:55:18 GMT 
Your time zone: sabato 1 novembre 2014 11:55:18 GMT+1:00 











PAGEFILE.SYS 


=Information about visited websites 


2 Search for the keyword 
HTTP-memory-only-PB 





ишин eee, гістаіп-ЦМенсасіс.ісілігісЕЕр: 
f/f qencactc.it,;wp-content;/ plugins, foothallclub/ js/ yoruview/ images, 
popup ajax 1байег.ц1Ї............... зз... ж. ажа жа жа жая жаз 





HT TP-MEMORY-ONLY-PB 


= A function used by Mozilla Firefox for Private Browsing (not saving cache 
data on the hard drive) 


= Tor Browser uses the Private Browsing feature of Mozilla Firefox 


= But Tor Browser typically uses an old Firefox version, based on Firefox 
ESR 


= To distinguish if the browsing activity was made with Mozilla Firefox or 
with Tor Browser: 


= Check if Firefox is installed 


ш [fitis installed, verify the actual version 


ou 





GET /The 
mes/default/images/theme/frame r 
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GET /it/home/images 


/30 years copy.nng HTTP/1.1 Hos 


User-Agent: Mo 


zilla/5. 0 (Windows NT 6.1; rv:24 
.0) Gecko/20100101 Firefox/243.0 

Accent:fimage/png,image/*:g-0.8 
,*/*:q-gd.5 Accept-Language: en- 
us, en; gf0.5 Accept-Encoding: gz 





defflate Referer: https://ww 


w.applf.com/it/ Connection: kee 
р-а11% GET /it/home/images/p 


HTTP-memory-only 


-BB:domain-www.apple.com&uri-htt 


3/30 years copy.png 





ANALYSIS METHODOLOGY 


Prefetch files 


* Install date 

* First execution date 

* Last execution date(s) 
* Number of executions 
* Tor Browser version 


NTUSER\UserAssist key 


* Execution path 
* Last execution date 
* Total number of executions 


* Verify the history of execution through the Volume Shadow 
Copies 


Other possible artifacts 


* Thumbnail Cache 
* Windows Search Database 












Tor Browser Files 


*State 

“Тоггс 

e Compatibility. ini 

e Extension. ini 

* Places.sqlite [Bookmarks] 





Pagefile.sys 
(keywords search) 


*HTTP-memory-only-PB 
*Torproject 

“Тог 

“Тоггс 

“Сесір 

*Torbutton 
*Tor-launcher 


Hiberfil.sys 


* Convert to a memory dump 
* Analyze through 

* Volatility 

* Keywords search 


















REAL CASE 


2 We indexed the hard drive and searched for the blog URL 


2 We found some interesting URLs in the pagefile, indicating the 
access to the Blog Admin page 
(http://www. blognameblabla.com/wp-admin/) 








REAL CASE 


= All the URLs were preceded by the string HTTP-MEMORY- 
ONLY-PB and Firefox is not installed on the laptop 


2 We found that the TOR Browser was downloaded with Google 
Chrome the night in which the file was published on the blog 


2 By analyzing the OS artifacts we found that it was installed and 
only executed once, 3 minutes before the publish date and 
time on the blog 











ACTIVE RESEARCHES 


= Memory Dump with Volatility and Rekall 


= Can we find any temporal reference for browsing 
activities? 


= Can we correlate Tor Browser cache entries to carved 
files from pagefile/hiberfil/memory dump? 


= Tor Browser on Mac OS X 
= Tor Browser on Linux 
= Orbot on Android 
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